Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

Sample: e324906e8eeaaad86049516d19fb067895f26175
SHA256: f54ca0492592d6e910fc4f17cbb5096f3e0ecda437a717e50de90f0b60e64195
Request: Tayuya [2016/09/21 - 23:09:46]
Callback: bsmax.fr
Gate: http://bsmax.fr/misc/.KhJh2M@/.KhJh2M@//menu.php|menu=ie.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://bsmax.fr/misc/.KhJh2M@/.KhJh2M@//menu.php|menu=ie.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[36, 149, 110, 159, 24, 33, 231, 85, 227, 90, 10, 98, 22, 76, 249, 9, 152, 56, 2, 205, 77, 158, 150, 74, 95, 100, 149, 180, 246, 62, 226, 54, 100, 94, 77, 111, 33, 220, 204, 63, 249, 232, 45, 62, 173, 120, 153, 104, 184, 112, 234, 175, 108, 228, 115, 132, 180, 178, 218, 107, 72, 196, 130, 72, 79, 11, 189, 106, 169, 199, 112, 216, 14, 200, 131, 46, 123, 75, 232, 113, 94, 138, 195, 189, 159, 2, 173, 148, 103, 87, 26, 78, 237, 129, 88, 133, 150, 173, 171, 226, 53, 240, 146, 100, 181, 153, 118, 229, 107, 69, 159, 161, 65, 217, 8, 177, 124, 121, 168, 142, 225, 186, 147, 129, 241, 60, 61, 223, 166, 230, 181, 11, 70, 111, 16, 143, 136, 134, 29, 198, 245, 127, 170, 40, 202, 61, 201, 151, 208, 49, 38, 224, 85, 10, 220, 89, 121, 188, 198, 191, 210, 41, 214, 81, 71, 80, 191, 87, 21, 246, 78, 219, 5, 119, 44, 255, 38, 255, 254, 127, 40, 16, 139, 231, 42, 185, 133, 214, 175, 0, 66, 50, 116, 157, 180, 79, 25, 36, 186, 252, 204, 145, 241, 88, 34, 223, 140, 120, 211, 184, 236, 246, 229, 183, 75, 245, 220, 15, 225, 240, 131, 128, 103, 43, 248, 214, 233, 220, 74, 58, 176, 91, 252, 203, 21, 37, 1, 176, 237, 157, 141, 42, 148, 44, 84, 211, 55, 166, 233, 22, 229, 187, 129, 179, 223, 92]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[149, 14, 53, 96, 243, 80, 0, 193, 57, 253, 246, 247, 123, 212, 87, 227]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [36, 49, 159, 217, 134, 78, 61, 176, 145, 111, 120, 40, 80, 42, 21, 44, 198, 56, 2, 205, 77, 158, 150, 74, 95, 100, 149, 180, 246, 62, 226, 54, 100, 94, 77, 90, 33, 220, 204, 63, 249, 232, 45, 62, 173, 10, 153, 104, 184, 112, 234, 175, 108, 228, 115, 132, 180, 178, 218, 107, 72, 196, 130, 72, 79, 11, 189, 106, 169, 199, 112, 216, 14, 200, 131, 46, 123, 75, 232, 113, 94, 138, 195, 189, 159, 2, 173, 148, 103, 87, 26, 78, 237, 129, 88, 133, 150, 173, 171, 226, 53, 240, 146, 100, 181, 153, 118, 229, 107, 69, 159, 161, 65, 110, 8, 177, 124, 121, 168, 142, 225, 186, 147, 129, 241, 60, 61, 223, 166, 230, 181, 11, 70, 111, 16, 143, 136, 24, 29, 152, 245, 127, 170, 98, 202, 231, 201, 151, 208, 149, 38, 224, 85, 10, 220, 89, 121, 188, 198, 191, 210, 41, 214, 81, 71, 22, 191, 87, 21, 246, 33, 219, 5, 119, 44, 255, 38, 255, 254, 127, 40, 16, 139, 231, 42, 185, 133, 214, 175, 0, 66, 50, 116, 157, 180, 79, 25, 36, 186, 252, 204, 227, 241, 88, 34, 223, 140, 120, 211, 184, 236, 246, 229, 183, 75, 245, 220, 15, 225, 240, 131, 128, 103, 43, 248, 214, 233, 220, 74, 58, 85, 91, 252, 203, 249, 37, 1, 176, 237, 157, 141, 76, 148, 9, 84, 211, 55, 166, 233, 22, 229, 187, 129, 179, 223, 92], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://bsmax.fr/misc/.KhJh2M@/.KhJh2M@//menu.php|menu=ie.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f62736d61782e66722f6d6973632f2e4b684a68324d402f2e4b684a68324d402f2f6d656e752e7068707c6d656e753d69652e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda24956e9f1821e755e35a0a62164cf909983802cd4d9e964a5f6495b4f63ee236645e4d6f21dccc3ff9e82d3ead789968b870eaaf6ce47384b4b2da6b48c482484f0bbd6aa9c770d80ec8832e7b4be8715e8ac3bd9f02ad9467571a4eed81588596adabe235f09264b59976e56b459fa141d908b17c79a88ee1ba9381f13c3ddfa6e6b50b466f108f88861dc6f57faa28ca3dc997d03126e0550adc5979bcc6bfd229d6514750bf5715f64edb05772cff26fffe7f28108be72ab985d6af004232749db44f1924bafccc91f15822df8c78d3b8ecf6e5b74bf5dc0fe1f08380672bf8d6e9dc4a3ab05bfccb152501b0ed9d8d2a942c54d337a6e916e5bb81b3df5c52687474703a2f2f62736d61782e66722f6d6973632f2e4b684a68324d402f2e4b684a68324d402f2f6d656e752e7068707c6d656e753d69652e786d6c00cdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f62736d61782e66722f6d6973632f2e4b684a68324d402f2e4b684a68324d402f2f6d656e752e7068707c6d656e753d69652e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}
Tools: [Hybrid] [MDB]

Download File